1 files changed, 81 insertions, 8 deletions

diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index 6e0a5002a..fec02dbad 100644
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -24,10 +24,15 @@
 #include <utils/enumerator.h>
 #include <credentials/certificates/certificate.h>
 
-#define X509_NO_PATH_LEN_CONSTRAINT		-1
+/* constraints are currently restricted to the range 0..127 */
+#define X509_NO_CONSTRAINT	255
 
 typedef struct x509_t x509_t;
+typedef struct x509_cert_policy_t x509_cert_policy_t;
+typedef struct x509_policy_mapping_t x509_policy_mapping_t;
+typedef struct x509_cdp_t x509_cdp_t;
 typedef enum x509_flag_t x509_flag_t;
+typedef enum x509_constraint_t x509_constraint_t;
 
 /**
  * X.509 certificate flags.
@@ -49,12 +54,55 @@ enum x509_flag_t {
 	X509_SELF_SIGNED =		(1<<5),
 	/** cert has an ipAddrBlocks extension */
 	X509_IP_ADDR_BLOCKS =	(1<<6),
+	/** cert has CRL sign key usage */
+	X509_CRL_SIGN =			(1<<7),
 };
 
 /**
- * enum names for x509 flags
+ * Different numerical X.509 constraints.
  */
-extern enum_name_t *x509_flag_names;
+enum x509_constraint_t {
+	/** pathLenConstraint basicConstraints */
+	X509_PATH_LEN,
+	/** inhibitPolicyMapping policyConstraint */
+	X509_INHIBIT_POLICY_MAPPING,
+	/** requireExplicitPolicy policyConstraint */
+	X509_REQUIRE_EXPLICIT_POLICY,
+	/** inhibitAnyPolicy constraint */
+	X509_INHIBIT_ANY_POLICY,
+};
+
+/**
+ * X.509 certPolicy extension.
+ */
+struct x509_cert_policy_t {
+	/** OID of certPolicy */
+	chunk_t oid;
+	/** Certification Practice Statement URI qualifier */
+	char *cps_uri;
+	/** UserNotice Text qualifier */
+	char *unotice_text;
+};
+
+/**
+ * X.509 policyMapping extension
+ */
+struct x509_policy_mapping_t {
+	/** OID of issuerDomainPolicy */
+	chunk_t issuer;
+	/** OID of subjectDomainPolicy */
+	chunk_t subject;
+};
+
+/**
+ * X.509 CRL distributionPoint
+ */
+struct x509_cdp_t {
+	/** CDP URI, as string */
+	char *uri;
+	/** CRL issuer */
+	identification_t *issuer;
+};
 
 /**
  * X.509 certificate interface.
@@ -98,11 +146,12 @@ struct x509_t {
 	chunk_t (*get_authKeyIdentifier)(x509_t *this);
 
 	/**
-	 * Get an optional path length constraint.
+	 * Get a numerical X.509 constraint.
 	 *
-	 * @return			pathLenConstraint, -1 if no constraint exists
+	 * @param type		type of constraint to get
+	 * @return			constraint, X509_NO_CONSTRAINT if none found
 	 */
-	int (*get_pathLenConstraint)(x509_t *this);
+	u_int (*get_constraint)(x509_t *this, x509_constraint_t type);
 
 	/**
 	 * Create an enumerator over all subjectAltNames.
@@ -112,9 +161,9 @@ struct x509_t {
 	enumerator_t* (*create_subjectAltName_enumerator)(x509_t *this);
 
 	/**
-	 * Create an enumerator over all CRL URIs.
+	 * Create an enumerator over all CRL URIs and CRL Issuers.
 	 *
-	 * @return			enumerator over URIs as char*
+	 * @return			enumerator over x509_cdp_t
 	 */
 	enumerator_t* (*create_crl_uri_enumerator)(x509_t *this);
 
@@ -131,6 +180,30 @@ struct x509_t {
 	 * @return			enumerator over ipAddrBlocks as traffic_selector_t*
 	 */
 	enumerator_t* (*create_ipAddrBlock_enumerator)(x509_t *this);
+
+	/**
+	 * Create an enumerator over name constraints.
+	 *
+	 * @param perm		TRUE for permitted, FALSE for excluded subtrees
+	 * @return			enumerator over subtrees as identification_t
+	 */
+	enumerator_t* (*create_name_constraint_enumerator)(x509_t *this, bool perm);
+
+	/**
+	 * Create an enumerator over certificate policies.
+	 *
+	 * @return			enumerator over x509_cert_policy_t
+	 */
+	enumerator_t* (*create_cert_policy_enumerator)(x509_t *this);
+
+	/**
+	 * Create an enumerator over policy mappings.
+	 *
+	 * @return			enumerator over x509_policy_mapping
+	 */
+	enumerator_t* (*create_policy_mapping_enumerator)(x509_t *this);
+
+
 };
 
 #endif /** X509_H_ @}*/